• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 641
  • Last Modified:

Allow users to install programs on client machines and use USB devices, in sbs 2011.

This is at the request of the owner, its a small office, 7 machines, and they want to be able to install their own apps like itunes, acrobat etc, also have to ability to use USB devices.

What do I have to do to make this happen.  Is there a way to allow updates for itunes, or microsoft security essentials, without allowing all exes?

0
savethehumans
Asked:
savethehumans
  • 2
2 Solutions
 
Don S.Commented:
The way I grant install (local administrative) privileges is to make a global group a member of the local computer's administrators group.  Then I can make a user a member of that global group (and therefore the ability to install programs) from ADUC without ever having to revisit the local computer.  Of course, this is highly inadvisable because most end users do not know what they are doing and will likely mess up their computers and more.  I know, you may not have a choice, they just want to be able to do anything they want.  In any case, setting it up like this will allow you to easily  grant and revoke that ability when needed.  Some programs can be updated without admin privileges, most non- Microsoft ones cannot - at least using their own builtin update mechanisms.  That is why most larger networks deploy updates like that centrally using various methods such as GPO, System center or other third party systems.
0
 
savethehumansAuthor Commented:
I dont totally understand what you are saying here, can you please elaborate a bit...

"grant install (local administrative) privileges is to make a global group a member of the local computer's administrators group."
0
 
Don S.Commented:
A user must be a member of their computer's administrators group in order to install most software.  By making a domain global group (call it Local admin as an example) a member of each computer's administrator's group,it sets up the ability to grant install privileges by adding the user to a domain group instead of going to each PC to do that for each user and for every time something changes or moves.
0
 
Rob WilliamsCommented:
Though using the group method is standard practice with Windows servers, SBS is a different product and wizards should always be used when possible. In the SBS console under users and groups | users | user name -properties | computers | you can select a computer and change whether a user is to be a basic user or a LOCAL admin. If you are going to make a large number of users admins of a large number of computers this is not practical and you may want to use the groups method, but most often you want to make just the primary user an admin of their own machine.

Also, when you join new computers to an SBS domain properly using the http://connect wizard you are given the choice of which users to assign to the machine and whether they will be basic users or admins of that machine.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now